Virus

W32/Scold.B@mm

Analysis

  • Virus is 32bit with a compressed file size of 28,160 bytes, and is a minor variant of W32/Scold.A-mm
  • Virus is introduced to a target system via an email attachment from another infected user
  • If the virus is run, it may copy itself to the undefinedWindowsundefined folder as "warm.scr" and modify the registry to auto run this virus at next Windows startup

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    ExeName32 = C:\WINNT\warm.scr

  • The virus will create an email message for each contact listed in the Windows address book - the email message may be slightly varied with the following properties -

    Subject: undefinedxundefined When It´s Cold Outside She Gives Me Warm Inside undefinedrandom
    Body 1:
    You will love this cute picture.

    Body 2:
    Enjoy this great picture.

    Body 3:
    Don't miss this cool picture.

    Additional Body:
    ============= Free Online Virus Scan =============
    100undefined VIRUS FREE
    No viruses or suspicious files were found in the attached file.
    Attachment: undefinedrandomundefined.scr

  • In the example above, undefinedxundefined is either "", "Fw:" or "Re:", and undefinedrandomundefined is random letters

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

  • Enable blocking of .SCR file attachments using FortiGate manager interface for POP3, SMTP and IMAP email services
  • Add the following words to the Email quarantine feature of FortiGate -

    Cold+Outside+She+Gives+Me+Warm+Inside

  • Configure email server applications to quarantine emails tagged by FortiGate and delete as necessary